> -----Original Message-----
> From:
> [email protected]
>
> [mailto:[email protected]
> illa.org] On Behalf Of Markus Moeller
> Sent: Monday, April 13, 2009 6:08 PM
> To: [email protected]
> Subject: Re: SASL authentication
>
> something like this should work
>
> sasl_secprops = (char *)"maxssf=0";
> ldap_set_option( ld, LDAP_OPT_X_SASL_SECPROPS, (void *)
> sasl_secprops );
This works, but only partially. The first binding is successful, the later ones
all fail, citing the reason "81 Can't contact LDAP server". :-(
The code is like this:
==============================================
static char *sasl_secprops = "maxssf=0";
.....
if(sslEnabled)
{
if (ldap_set_option(ldapHandle, LDAP_OPT_X_SASL_SECPROPS, (void
*)sasl_secprops) != 0)
{
/*
** unbind ldap handle.
*/
if (ldapHandle != (LDAP *)NULL)
{
LOGINFO("ldap_unbind_s3");
ldap_unbind_s(ldapHandle);
ldapHandle = (LDAP *)NULL;
}
LOGERROR("Failed to set maxssf to 0");
return(ABA_LDAP_SET_UNABLE_TO_SET_PREFS);
}
if ( (ldapHandle = ldapssl_init(serverHost,
serverPort, 1 )) == NULL)
{
LOGERROR("Failed to do ldapssl_init...");
return(ABA_LDAP_INIT_CALL_FAILED);
}
LOGINFO("LDAP SSL CONNECTION SUCCESSFUL to %s",
ldapServerConfigData.hostnames);
}
else
{
if ((ldapHandle = prldap_init(serverHost,
serverPort, 0)) == NULL)
{
LOGERROR("prldap_init failed");
return(ABA_LDAP_INIT_CALL_FAILED);
}
LOGINFO("prldap_init succeeded");
}
......
ldapStatus = ldap_sasl_interactive_bind_ext_s(ldapHandle, "", sasl_mech,
NULL,
NULL, sasl_flags,
example_sasl_interact, NULL, &responseControls);
if (responseControls != NULL)
{
LOGINFO("SASL binding finished, will destroy responseControls");
ldap_controls_free(responseControls);
responseControls = NULL;
}
LOGINFO("SASL LDAP BIND with GSSAPI: Value of ldapStatus %d", ldapStatus);
==============================================
You can see that, compared to non-SSL binding with SASL/GSSAPI, there are only
two differences. One is to set the option of maxssf to be 0, the other is
ldapssl_init() versus prldap_init(). But the log shows ldapssl_init() is always
successful.
The log tells me:
==============================================
<apManager> (Tue Apr 14 2009 11:04:22.587)
<p25348,t3078937504,aba_ldap_interface.c,1625>
INFO>> SASL Login
<apManager> (Tue Apr 14 2009 11:04:23.186)
<p25348,t3078937504,aba_ldap_interface.c,1639>
INFO>> SASL LDAP BIND with GSSAPI: Value of ldapStatus 0
<apManager> (Tue Apr 14 2009 11:04:23.186)
<p25348,t3078937504,aba_ldap_interface.c,1702>
INFO>> ldap_unbind_s6
......
INFO>> SASL Login
<apManager> (Tue Apr 14 2009 11:04:23.223)
<p25348,t3078937504,aba_ldap_interface.c,1639>
INFO>> SASL LDAP BIND with GSSAPI: Value of ldapStatus 81
<apManager> (Tue Apr 14 2009 11:04:23.223)
<p25348,t3078937504,aba_ldap_interface.c,1646>
ERROR>> LDAP BIND: Value of ldap failure status and text 81 Can't contact
LDAP server
<apManager> (Tue Apr 14 2009 11:04:23.223)
<p25348,t3078937504,aba_ldap_interface.c,1659>
ERROR>> ABA_LDAP_BIND_SERVER_DOWN
==============================================
The server is confirmed to be alive all the time. In contrast, if SSL is not
enabled, then SASL binding is always successful, no matter how many bindings
are tried.
Any suggestions on this issue?
Thanks,
Xu Qiang
_______________________________________________
dev-tech-ldap mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-tech-ldap
